Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-11
CVE-2026-2724 - Unlimited Elements For Elementor Plugin
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insufficient input sanitization and output escaping on form submission data displayed in the admin Form Entries Trash view. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the trashed form entries.
PLUGIN
Unlimited Elements For Elementor
CVE-2026-2724
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-1261 - Metform Pro Plugin
The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Quiz feature in all versions up to, and including, 3.9.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Metform Pro
CVE-2026-1261
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2026-3585 - The Events Calendar Plugin
The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
The Events Calendar
CVE-2026-3585
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-1920 - Booktics – Booking Calendar for Appointments and Service Businesses Plugin
The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins.
PLUGIN
Booktics – Booking Calendar for Appointments and Service Businesses
CVE-2026-1920
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-1919 - Booktics – Booking Calendar for Appointments and Service Businesses Plugin
The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to query sensitive data.
PLUGIN
Booktics – Booking Calendar for Appointments and Service Businesses
CVE-2026-1919
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1508 - Court Reservation Plugin
The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack
PLUGIN
Court Reservation
CVE-2026-1508
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-0953 - Tutor LMS Pro Theme
The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address.
THEME
Tutor LMS Pro
CVE-2026-0953
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-2433 - RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging Plugin
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator's session by tricking them into visiting a malicious website that…
PLUGIN
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
CVE-2026-2433
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-2420 - Lotekmedia Popup Form Plugin
The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the frontend of the site where the popup is displayed.
PLUGIN
Lotekmedia Popup Form
CVE-2026-2420
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-1825 - Show Youtube Video Plugin
The Show YouTube video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'syv' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Show Youtube Video
CVE-2026-1825
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-1824 - Infomaniak Connect For Openid Plugin
The Infomaniak Connect for OpenID plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'endpoint_login' parameter of the infomaniak_connect_generic_auth_url shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Infomaniak Connect For Openid
CVE-2026-1824
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-1823 - Consensus Embed Plugin
The Consensus Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's consensus shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Consensus Embed
CVE-2026-1823
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-1820 - Media Library Alt Text Editor Plugin
The Media Library Alt Text Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bvmalt_sc_div_update_alt_text' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Media Library Alt Text Editor
CVE-2026-1820
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-1805 - Da Media Giglist Plugin
The DA Media GigList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's damedia_giglist shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Da Media Giglist
CVE-2026-1805
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-1074 - Wp App Bar Plugin
The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-features' parameter in all versions up to, and including, 1.5. This is due to insufficient input sanitization and output escaping combined with a missing authorization check in the `App_Bar_Settings` class constructor. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into multiple plugin settings that will execute whenever a user accesses the admin settings page.
PLUGIN
Wp App Bar
CVE-2026-1074
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-1574 - MyQtip – easy qTip2 Plugin
The MyQtip – easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `myqtip` shortcode in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
MyQtip – easy qTip2
CVE-2026-1574
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-1569 - Wueen Plugin
The Wueen plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wueen-blocket` shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wueen
CVE-2026-1569
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-1087 - The Guardian News Feed Plugin
The Guardian News Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the Guardian API key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
The Guardian News Feed
CVE-2026-1087
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-1086 - Font Pairing Preview For Landing Pages Plugin
The Font Pairing Preview For Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's font pairing settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Font Pairing Preview For Landing Pages
CVE-2026-1086
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-1085 - Seo Local Rank Plugin
The True Ranker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.9. This is due to missing nonce validation on the seolocalrank-signout action. This makes it possible for unauthenticated attackers to disconnect the administrator's True Ranker account via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Seo Local Rank
CVE-2026-1085
Risk Score